Nov
v2.11-SaaS¶
05 Nov, 2024
The section below provides a brief description of the new functionality and enhancements in this release.
Amazon EKS¶
Ubuntu 22.04 Node AMI Family Support¶
Support has been added for Ubuntu 22.04 AMI family for node groups with this release.
Pod Identity¶
The EKS Pod Identity feature simplifies granting AWS IAM permissions to Kubernetes applications running in an Amazon EKS cluster. Support for this feature for clusters managed through the Rafay platform is being added with this enhancement. Support has been added for:
- Installation of the
Amazon EKS Pod Identity Agent
Add-on: This agent runs as a DaemonSet on the cluster. This can be installed both on Day 0 for new clusters and Day 2 for existing clusters - Creation of Pod Identity Associations: This allows specific Kubernetes service accounts to be associated with IAM roles.
- Migrating existing IRSA to pod identity associations: This allows migrating existing IAM Roles for service accounts to Pod Identity associations.
Info
To learn more about how to use EKS Pod Identity and its associations with Rafay, please read the following blogs: Introducing EKS Pod Identity and EKS Pod Identity with Rafay.
This feature will be supported through all interfaces including UI, RCTL, Terraform, System Sync and Swagger APIs.
Add-on Deployment in Day 0
Add-on Deployment in Day 2
Pod Identity Associations
Migration
Note
- Pod identity associations for EKS managed addons is not available in this release and will be included in a subsequent release
-
Permissions Required: To utilize this feature, the following IAM permissions are necessary for the role or user part of cloud credentials:
"eks:CreatePodIdentityAssociation", "eks:DescribePodIdentityAssociation", "eks:DeletePodIdentityAssociation", "eks:UpdatePodIdentityAssociation", "eks:ListPodIdentityAssociations"
To migrate from IRSA to Pod Identity Association, you will need an additional permission for tags: iam:UntagRole
along with above set of permissions
Info
Click here to learn more about Rafay's support for EKS Pod Identity.
Upstream Kubernetes for Bare Metal and VMs¶
The features in this section are for Rafay's Kubernetes Distribution (aka Rafay MKS).
Ubuntu 24.04 LTS¶
Support has been added for the Ubuntu 24.04 LTS operating system. This allows users to leverage Ubuntu 24.04-based nodes for their Rafay MKS clusters.
Cordon/Uncordon/Drain Node Actions¶
New node actions have been introduced including Cordon, Uncordon, and Drain. These actions enable users to more efficiently manage nodes. These actions will be supported through UI, RCTL, and Swagger API interfaces. For governance and compliance purposes, for each of these actions, an immutable audit log entry will be added to the centralized audit logging system.
Info
For information on CLI commands, please refer here.
LDAP Support¶
It is now possible to run the Conjurer binary on a node with an LDAP user and install the minion agent.
Inter-Pod Communication Check¶
Enhanced MKS cluster provisioning to include an inter-pod communication check. After each node addition, a pod is deployed on the newly added node to verify seamless pod-to-pod communication between the new node and existing master nodes.
Terraform/OpenTofu Provider¶
In addition to using the existing interfaces (UI, API, CLI and GitOps SystemSync), users can now also use Terraform/OpenTofu providers to manage the lifecycle (i.e. configure, provision, upgrade, scale, delete) of Rafay MKS based upstream Kubernetes clusters.
Furthermore, support has also beeen added for data source
for upstream Kubernetes cluster
(rafay_mks_cluster) . This enhancement allows users to query and utilize specific cluster related information during the lifecycle management process, offering more flexibility and control in their automation workflows.
Users will be able to leverage this functionality with version 1.37 of Rafay's Terraform Provider Rafay's Terraform Provider.
Environment Manager¶
Drivers (aka Workflow Handlers)¶
It is possible today to execute custom workflows by packaging them as a container and/or through a set of HTTP calls. Support has been added to Drivers/Workflow Handlers to execute code written in Go or Python with this enhancement.
Drivers/Workflow Handlers can be leveraged at multiple places including as part of:
- Resource templates through the Custom Provider option
- Hooks attached to the resource/environment template configuration (e.g. Approval is need in ServiceNow before an environment provisioning is initiated)
- Schedule policy (e.g. capture snapshot of K8s resources every 24 hrs)
The ability to execute custom code written in Go or Python will be supported through RCTL CLI, Terraform, System Sync and APIs interfaces initially. Support for UI interface will be added in a subsequent release. For more information on this feature, please refer here.
UI support for Schedules¶
Support for Schedules feature with RCTL CLI, System Sync and API interfaces was added with a previous release. This release adds support for UI interface.
GitOps¶
UI enhancements: Pipelines and Approvals¶
A number of UI improvements have been implemented for the Pipelines and Approvals pages. These are intended to make it easy to get visibility around recent pipeline runs & pending approvals.
Pipelines page:
- Ability to search by pipeline name
- Ability to sort by columns
- Additional columns, "Created At" and "Last Run"
Approvals page:
- Ability to search by pipeline name
- Ability to filter by Status (pending or approved)
System to Git Sync¶
In scenarios where the Platform team has standardized on GitOps as the choice of interface for the SRE/end user teams (i.e. all actions are driven through spec files in the Git repo), there are challenges around educating SRE/end user teams on folder structure that needs to be used for various resources (e.g. clusters).
With this enhancement, the required folder structure (empty folders) is automatically created for all resources that have been selected as part of the System Sync pipeline on the first System to Git sync. This makes it extremely easy for Platform teams to onboard new teams (create a project, a system sync pipeline and hand-off to the SRE/end user teams).
Role Based Access¶
Break Glass Workflows¶
There are scenarios where users (e.g. developers) may require elevated privileges for a specific period of time, example includes troubleshooting an application running in a production cluster. This new feature allows Platform teams (Org admins) to:
- Temporarily assign users to override groups with elevated privileges
- Integrate with external systems of record such as ServiceNow or Jira to enable workflows where access can be granted upon approval
- Centralized audit logs capture the temporary access assignment/delete action and Platform teams (Org Admins) have full visibility into users who have temporary access across the organization
- Stream the audit logs to the organization's SIEM such as Splunk
- Export the audit logs as a CSV
Administrators can configure and use this feature through UI, RCTL CLI, Terraform and APIs interfaces.
Shown below is an example of a break glass configuration.
Shown below is an example of the audit logs for break glass.
Info
To learn more about the concepts behind break glass, please read our recent blogs: An Introduction to Break Glass Workflows for Developer Access to Kubernetes Clusters and Enhancing Security and Compliance in Break Glass Workflows with Rafay. For more information about this feature, please refer here.
Cost Management¶
Google Cloud Platform (GCP)¶
Support has been added to configure Cost Profiles for GCP with this enhancement. This allows customers to leverage the chargeback and cluster/application rightsizing capabilities available today for GKE clusters as well.
Info
For more information on this feature, please refer here.
Audit Logs¶
Namespace Operations¶
Audit logs are being added for namespace creation/delete operations that were handled implicitly by the controller. An example for this is an implicit namespace creation as part of an add-on deployment during the blueprint sync process.
User Experience in Rafay Console¶
Namespace Admin users¶
A number of improvements have been implemented to improve the user UX for namespace admin roles. These include filtering objects in the UI and the ability to download kubeconfig for a specific cluster (versus a consolidated kubeconfig).
Page Size Selection¶
With this enhancement, any changes that the user makes to the 'rows per page' selection will be persisted across pages for that specific browser session.
Node labels¶
With this enhancement, node labels are organized into sections and are searchable.
Bug Fixes¶
Bug ID | Description |
---|---|
RC-30381 | Backup/restore jobs are not cleaned up when the cluster is deleted |
RC-37499 | Upstream k8s: Unable to add worker nodes to existing clusters in certain scenarios |
RC-36543 | Blueprint Sync operation is not successful when updating the blueprint version to remove an undesired add-on |
RC-28677 | UI: 404 error when pod metrics are unavailable |
RC-33389 | Modified time is updated and audit log entries are created on a workload publish action even when there are no changes |
RC-32540 | UI: Validate option for cloud credentials for backup/restore is not disabled |
RC-37499 | Upstream k8s: Inability to add a worker node to an existing cluster in certain scenarios |
RC-38160 | UI: Arrow mark does not rotate on sorting columns on the GitOps pipeline page |
RC-37716 | UI: Node details field text is not wrapped appropriately |